Get Started
API Reference


This package is deprecated in favor of AuthSession. Check out the authentication guides to learn how to migrate your existing authentication today.
expo-app-auth allows you to authenticate and authorize your users through the native OAuth library AppAuth by OpenID.
Many services that let you authenticate with them or login with them, like GitHub, Google, GitLab, etc., use the OAuth 2.0 protocol. It's the industry standard.
If you are trying to implement sign in with Google or Facebook, there are special modules in the Expo SDK for those (though this module will work).

Platform Compatibility

Android DeviceAndroid EmulatoriOS DeviceiOS SimulatorWeb


expo install expo-app-auth

If you're installing this in a bare React Native app, you should also follow these additional installation instructions.

These steps are nearly identical to our Managed Workflow guide on deep linking in React Navigation.
You will want to decide on a URI scheme for your app, this will correspond to the prefix before :// in a URI. Ex: If your scheme is mychat then a link to your app would be mychat://.
The scheme only applies to standalone apps and you need to re-build the standalone app for the change to take effect. In the Expo Go app you can deep link using exp://ADDRESS:PORT where ADDRESS is often and PORT is often 19000 - the URL is printed when you run expo start.
If you want to test with your custom scheme you will need to run expo build:ios -t simulator or expo build:android and install the resulting binaries in your emulators. You can register for a scheme in your app.json by adding a string under the scheme key:
  "expo": {
    "scheme": "myapp"
To create a scheme that is appropriate for the environment, be sure to use Linking from expo:
import { Linking } from 'expo';

const prefix = Linking.makeUrl('/');
// Expo Go: `exp://ADDRESS:PORT`
// Standalone: `myapp://`
For more info on Linking in Expo.

Carefully follow our in-depth Bare Workflow guide for deep linking.
For more customization (like https redirects) please refer to the native docs: capturing the authorization redirect.

Below is a set of example functions that demonstrate how to use expo-app-auth with the Google OAuth sign in provider.
import React, { useEffect, useState } from 'react';
import { AsyncStorage, Button, StyleSheet, Text, View } from 'react-native';
import * as AppAuth from 'expo-app-auth';

export default function App() {
  let [authState, setAuthState] = useState(null);

  useEffect(() => {
    (async () => {
      let cachedAuth = await getCachedAuthAsync();
      if (cachedAuth && !authState) {
  }, []);

  return (
    <View style={styles.container}>
      <Text>Expo AppAuth Example</Text>
        title="Sign In with Google "
        onPress={async () => {
          const _authState = await signInAsync();
        title="Sign Out "
        onPress={async () => {
          await signOutAsync(authState);
      <Text>{JSON.stringify(authState, null, 2)}</Text>

const styles = StyleSheet.create({
  container: {
    flex: 1,
    backgroundColor: '#fff',
    alignItems: 'center',
    justifyContent: 'center',

let config = {
  issuer: 'https://accounts.google.com',
  scopes: ['openid', 'profile'],
  /* This is the CLIENT_ID generated from a Firebase project */
  clientId: '603386649315-vp4revvrcgrcjme51ebuhbkbspl048l9.apps.googleusercontent.com',

let StorageKey = '@MyApp:CustomGoogleOAuthKey';

export async function signInAsync() {
  let authState = await AppAuth.authAsync(config);
  await cacheAuthAsync(authState);
  console.log('signInAsync', authState);
  return authState;

async function cacheAuthAsync(authState) {
  return await AsyncStorage.setItem(StorageKey, JSON.stringify(authState));

export async function getCachedAuthAsync() {
  let value = await AsyncStorage.getItem(StorageKey);
  let authState = JSON.parse(value);
  console.log('getCachedAuthAsync', authState);
  if (authState) {
    if (checkIfTokenExpired(authState)) {
      return refreshAuthAsync(authState);
    } else {
      return authState;
  return null;

function checkIfTokenExpired({ accessTokenExpirationDate }) {
  return new Date(accessTokenExpirationDate) < new Date();

async function refreshAuthAsync({ refreshToken }) {
  let authState = await AppAuth.refreshAsync(config, refreshToken);
  console.log('refreshAuth', authState);
  await cacheAuthAsync(authState);
  return authState;

export async function signOutAsync({ accessToken }) {
  try {
    await AppAuth.revokeAsync(config, {
      token: accessToken,
      isClientIdProvided: true,
    await AsyncStorage.removeItem(StorageKey);
    return null;
  } catch (e) {
    alert(`Failed to revoke token: ${e.message}`);

There are a couple different methods for authenticating your app in React Native and Expo, this should help you know if expo-app-auth is right for your needs.

The AuthSession API is built on top of expo-web-browser and cuts out a lot of the tricky steps involved with web authentication. Both AppAuth and AuthSession use SFAuthenticationSession and ChromeCustomTabs to authenticate natively, but AppAuth has built in support for OpenID. AuthSession uses an extra Expo service that makes development easier (especially across teams) but this can have some extra security considerations.

The expo-app-auth module is based on react-native-app-auth by the incredible React.js consulting firm Formidable. The documentation and questions there may prove helpful. expo-app-auth provides a few extra features to make native app auth work inside a sand-boxed Expo Go environment.

import * as AppAuth from 'expo-app-auth';

AppAuth.authAsync(props: OAuthProps): Promise<TokenResponse>
Starts an OAuth flow and returns authorization credentials.

propsOAuthPropsConfiguration for the OAuth flow

tokenResponsePromise<TokenResponse>Authenticated response token

const config = {
  issuer: 'https://accounts.google.com',
  clientId: '<CLIENT_ID>',
  scopes: ['profile'],

const tokenResponse = await AppAuth.authAsync(config);

AppAuth.refreshAsync(props: OAuthProps, refreshToken: string): Promise<TokenResponse>
Renew the authorization credentials (access token). Some providers may not return a new refresh token.

propsOAuthPropsConfiguration for the OAuth flow
refreshTokenstringRefresh token to exchange for an Access Token

tokenResponsePromise<TokenResponse>Refreshed authentication response token

const config = {
  issuer: 'https://accounts.google.com',
  clientId: '<CLIENT_ID>',
  scopes: ['profile'],

const tokenResponse = await AppAuth.refreshAsync(config, refreshToken);

AppAuth.revokeAsync(props: OAuthBaseProps, options: OAuthRevokeOptions): Promise<any>
A fully JS function which revokes the provided access token or refresh token. Use this method for signing-out. Returns a fetch request.

propsOAuthBasePropsThe same OAuth configuratiton used for the initial flow
optionsOAuthRevokeOptionsRefresh token or access token to revoke

const config = {
  issuer: 'https://accounts.google.com',
  clientId: '<CLIENT_ID>',

const options = {
  token: accessToken, // or a refreshToken
  isClientIdProvided: true,

// Sign out...
await AppAuth.revokeAsync(config, options);

Redirect scheme used to assemble the redirectUrl prop. In standalone apps, this is either the android.package (for Android) or ios.bundleIdentifier (for iOS) value from your app.json. However, for apps running in Expo Go, AppAuth.OAuthRedirect is host.exp.exponent.

iOS only
A list of URL Schemes from the Info.plist

Return value of the following AppAuth methods:
  • AppAuth.authAsync()
  • AppAuth.refreshAsync()
accessTokenstring | nullAccess token generated by the auth server
accessTokenExpirationDatestring | nullApproximate expiration date and time of the access token
additionalParameters{ [string]: any } | nullAdditional parameters returned from the auth server
idTokenstring | nullID Token value associated with the authenticated session
tokenTypestring | nullTypically "Bearer" when defined or a value the client has negotiated with the auth Server
refreshTokenstring | undefinedThe most recent refresh token received from the auth server

clientIdstringThe client identifier
issuerstringURL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier
serviceConfigurationOAuthServiceConfigurationspecifies how to connect to a particular OAuth provider

extends OAuthBaseProps, is used to create OAuth flows.
clientIdstringThe client identifier
issuerstringURL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier
serviceConfigurationOAuthServiceConfigurationspecifies how to connect to a particular OAuth provider
clientSecretstring | undefinedused to prove that identity of the client when exchaning an authorization code for an access token
scopesArray<string> | undefineda list of space-delimited, case-sensitive strings define the scope of the access requested
redirectUrlstring | undefinedThe client's redirect URI. Default: AppAuth.OAuthRedirect + ':/oauthredirect'
additionalParametersOAuthParametersExtra props passed to the OAuth server request
canMakeInsecureRequestsboolean | undefinedAndroid: Only enables the use of HTTP requests

tokenstringThe access token or refresh token to revoke
isClientIdProvidedbooleanDenotes the availability of the Client ID for the token revocation

authorizationEndpointstring | undefinedOptional URL of the OP's OAuth 2.0 Authorization Endpoint
registrationEndpointstring | undefinedOptional URL of the OP's Dynamic Client Registration Endpoint
revocationEndpointstring | undefinedOptional URL of the OAuth server used for revoking tokens
tokenEndpointstringURL of the OP's OAuth 2.0 Token Endpoint

Learn more about OAuth Parameters on this exciting page: openid-connect-core. To save time I've copied over some of the relevant information, which you can find below.
nonceOAuthNonceParameter | undefined
displayOAuthParametersDisplay | undefined
promptOAuthPromptParameter | undefined
max_ageOAuthMaxAgeParameter | undefined
ui_localesOAuthUILocalesParameter | undefined
id_token_hintOAuthIDTokenHintParameter | undefined
login_hintOAuthLoginHintParameter | undefined
acr_valuesOAuthACRValuesParameter | undefined
Other parameters MAY be sent. See Sections 3.2.2, 3.3.2, 5.2, 5.5, 6, and 7.2.1 for additional Authorization Request parameters and parameter values defined by this specification.

type OAuthDisplayParameter = 'page' | 'popup' | 'touch' | 'wap';
ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
pageThe Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
popupThe Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
touchThe Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
wapThe Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.

type OAuthPromptParameter = 'none' | 'login' | 'consent' | 'select_account';
Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
noneThe Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section This can be used as a method to check for existing authentication and/or consent.
loginThe Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
consentThe Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.
select_accountThe Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.
The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.

type OAuthNonceParameter = string;
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

type OAuthUILocalesParameter = string;
End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

type OAuthIDTokenHintParameter = string;
ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

type OAuthMaxAgeParameter = string;
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.

type OAuthLoginHintParameter = string;
OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.

type OAuthACRValuesParameter = string;
Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.